Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting https_timeout does not invoke failsafe mode as documented #279

Open
EricHorst opened this issue Jun 22, 2024 · 1 comment
Open

Setting https_timeout does not invoke failsafe mode as documented #279

EricHorst opened this issue Jun 22, 2024 · 1 comment

Comments

@EricHorst
Copy link

For pam_duo, setting https_timeout does not invoke failmode as documented. Failmode is never invoked if the Duo API is unreachable and times out.

This makes it impossible to configure pam_duo to fail "safe" in cases where network connectivity is impaired.

Description

The documentation for https_timeout says the following which is incorrect:

Set to the number of seconds to wait for HTTPS responses from Duo Security. If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered.

In the case where the HTTPS connection to Duo Security times out, no failmode is triggered.

Expected Behavior

One configures failmode = safe and https_timeout = 10. In this case if Duo API is unreachable for 10 seconds then the safe failmode should be invoked and pam_duo should log failmode access and return pam SUCCESS.

Actual Behavior

One configures failmode = safe and https_timeout = 10. There is no error logged and no failmode invoked. pam_duo simply fails.

Steps to Reproduce

  1. In pam_duo.conf configure failmode = safe and https_timeout = 10
  2. Break server network connectivity so that the duo API host is unreachable.
  3. HTTPS connection times out
  4. "safe" failmode is not invoked.

Workarounds

None possible.
@AaronAtDuo
Copy link
Contributor

@EricHorst Based on my reading of the setting https://duo.com/docs/duounix#duo-configuration-options, I believe you are describing a slightly different scenario than what https_timeout affects.

If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered. Other network operations such as DNS resolution, TCP connection establishment, and the SSL handshake have their own independent timeout and retry logic.

The way I read that is, this timeout only applies if the connection to Duo is made, but the response does not occur within the timeout. A delay in reaching Duo to establish the connection will not trigger this timeout. Unfortunately we don't appear to have a timeout control that covers that scenario. This config option could be named more clearly, something like "duo_timeout" would have been more descriptive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EricHorst @AaronAtDuo